DEV Community

Cover image for Snyk Helps Secure the Golang Bento Project
Snyk profile image SnykSec
SnykSec for Snyk

Posted on • Originally published at snyk.io

Snyk Helps Secure the Golang Bento Project

#opensourcesecurity #go

Snyk is exploring using the open-source Golang project Bento to read data from Kafka streams and materialize intelligence to various outputs. We are pleased to share that we are proactively helping secure the Bento project by contributing dependency fix updates.  

What is Bento?

Bento is an open-source streaming data processing tool designed for ease of use and reliability. It features declarative configuration, enabling connections to diverse data sources and sinks, and handles common data engineering tasks such as transformations, integrations, and multiplexing. Written in Go, Bento is extensible through plugins, making it adaptable to various data processing needs.

Following is an example Bento configuration file demonstrating pipeline data processing

input:
  gcp_pubsub:
    project: foo
    subscription: bar

pipeline:
  processors:
    - mapping: |
        root.message = this
        root.meta.link_count = this.links.length()
        root.user.age = this.user.age.number()

output:
  redis_streams:
    url: tcp://TODO:6379
    stream: baz
    max_in_flight: 20
Enter fullscreen mode Exit fullscreen mode

Snyk secures the Bento project

At Snyk, we like to ‘dogfood’ our products, and we use Snyk in our CI/CD pipelines as one example of leveraging Snyk’s developer-first security products.

During a container security scan of the Bento v1.5.0 binary, we detected a vulnerability in golang.org/x/crypto/ssh.

This vulnerability, tracked via CVE-2025-22869 in Snyk’s vulnerability database, is a denial of service attack that impacts the Golang projects that depend on the x/crypto/ssh library.

Given that Bento is an open-source project, we contacted the maintainers over Discord and were pleased to find them happy for us to contribute some fixes. We created two PRs to fix the issue:

  • A Pull Request to update to go 1.23
  • A followup Pull Request to bump the use of Go’s crypto library to use a safe version that does not introduce security vulnerabilities.

Both of our contributions have been merged into the main branch of the Bento project and will be part of future releases.

Snyk invitation to secure Open Source projects

Earlier this year, we launched Snyk’s Secure Developer Program—a new program that invites open source maintainers to connect their projects to Snyk and receive the full enterprise-grade and unlimited scans experience from Snyk. This includes API access, Snyk’s own DeepCode AI Fix, Service Accounts, and many more features to help you address security vulnerabilities and produce secure software.

profile
Embeddable
 Promoted

A developer toolkit for building lightning-fast dashboards into SaaS apps

A developer toolkit for building lightning-fast dashboards into SaaS apps

Embed in minutes, load in milliseconds, extend infinitely. Import any chart, connect to any database, embed anywhere. Scale elegantly, monitor effortlessly, CI/CD & version control.

Get early access

Top comments (0)

profile
H Company
 Promoted

Runner H image

Automate Your Workflow in Slack, Gmail, Notion & more

Runner H connects to your favorite tools and handles repetitive tasks for you. Save hours daily. Try it free while it’s in beta.

Try for Free

👋 Kindness is contagious

Explore this practical breakdown on DEV’s open platform, where developers from every background come together to push boundaries. No matter your experience, your viewpoint enriches the conversation.

Dropping a simple “thank you” or question in the comments goes a long way in supporting authors—your feedback helps ideas evolve.

At DEV, shared discovery drives progress and builds lasting bonds. If this post resonated, a quick nod of appreciation can make all the difference.

Okay